CISS 300 Chapter 4 quiz

The ____ security policy is a planning document that outlines the process of implementing security in the organization.
a. program
Many corporations use a ____ to help secure the confidentiality and integrity of information.
d. data classification scheme
The ____ security policy is an executive-level document that outlines the organization’s approach and attitude towards information security and relates the strategic value of information security within the organization.
a. general
The ____ strategy attempts to shift risk to other assets, other processes, or other organizations.
a. transfer control
Management of classified data includes its storage and ____.
a. distribution

b. portability

c. destruction

d. All of the above
answer is D.

____ policies address the particular use of certain systems.
a. Systems-specific
The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) ____.
b. CBA
Risk ____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
b. appetite
____ addresses are sometimes called electronic serial numbers or hardware addresses.
d. MAC
The actions an organization can and perhaps should take while an incident is in progress should be specified in a document called the ____ plan.
c. IR
Know yourself means identifying, examining, and understanding the threats facing the organization.
False
A(n) disaster recovery plan dictates the actions an organization can and perhaps should take while an incident is in progress.
False
A best practice proposed for a small home office setting is appropriate to help design control strategies for a multinational company.
False
A(n) exposure factor is the expected percentage of loss that would occur from a particular attack.
True
____ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders.
c. Operational
The ____ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
d. accept control
____ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede.
b. DR
When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as a(n) ____.
d. standard of due care
Risk ____ is the application of controls to reduce the risks to an organization’s data and information systems.
b. control
The ____ strategy attempts to prevent the exploitation of the vulnerability.
b. defend control
The general management of an organization must structure the IT and information security functions to defend the organizations information assets. (T/F)
True
you realize you do not know the enemy, you will gain an advantage in every battle.” (Sun Tzu). (T/F)
False If you know your enemy
Risk control is the application of controls to reduce the risks to an organizations data and information systems. (T/F)
True
Know yourself means identifying, examining, and understanding the threats facing the organization. (T/F)
False
Once the organizational threats have been identified, an assets identification process is undertaken. (T/F)
False Once the asset have been identified
Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. (T/F)
False is more difficult
You should adopt naming standards that do not convey information to potential system attackers. (T/F)
True
When determining the relative importance of each asset, refer to the organizations mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. (T/F)
True
The amount of money spent to protect an asset is based in part on the value of the asset. (T/F)
True
The value of intellectual property influences asset valuation. (T/F)
True
You cannot use qualitative measures to rank values. (T/F)
False
Protocols are activities performed within the organization to improve security. (T/F)
False Programs are activities..
Eliminating a threat is an impossible proposition. (T/F)
False – Possible but difficult
To determine if the risk is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. (T/F)
True
Leaving unattended computers on is one of the top information security mistakes made by individuals. (T/F)
True
Some argue that it is virtually impossible to determine the true value of information and information-bearing assets. (T/F)
True
CBAs cannot be calculated after controls have been functioning for a time. (T/F)
False CBA can (after & before)
Metrics-based measures are generally less focused on numbers and more strategic than process-based measures. (T/F)
False Metrics-based measures are generally more focused on numbers
Best business practices are often called recommended practices. (T/F)
True
Organizations should communicate with system users throughout the development of the security program, letting them know that change are coming. (T/F)
True
The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. (T/F)
True
Establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage. (T/F)
True
Risk control is the examination and documenting of the security posture of an organizations information technology and the risks it faces. (T/F)
False – Risk Identification is
Mutually exclusive means that all information assets must fit in the list somewhere. (T/F)
False Comprehensive means that all information assets
One way to determine which information assets are critical is by evaluating how much of the organizations revenue depends on a particular asset. (T/F)
True
Each of the threats faced by an organization must be examined to assess its potential to endanger the organization and this examination is known as a threat profile. (T/F)
False – is known as a threat assessment
Risk evaluation assigns a risk rating or score to each information asset. (T/F)
False Risk assessment
Policies are documents that specify an organizations approach to security. (T/F)
True
Program-specific policies address the specific implementations or applications of which users should be aware. (T/F)
False – Issue-specific policies
The most common of the mitigation procedures is the disaster recovery plan. (T/F)
True
The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. (T/F)
True
Likelihood risk is the risk to the information asset that remains even after the application of controls. (T/F)
False – Residual risk is
Benefit is the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. (T/F)
True
ALE determines whether or not a particular control alternative is worth its cost. (T/F)
False – CBA determines.
A(n) qualitative assessment is based on characteristics that do not use numerical measures. (T/F)
True
Qualitative-based measures are comparisons based on numerical standards, such as numbers of successful attacks. (T/F)
False Metrics-based measures
Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices. (T/F)
True
In information security, benchmarking is the comparison of security activities and events against the organizations future performance. (T/F)
False baselining is
Within organizations, technical feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest. (T/F)
False – political feasibility
Risk measure defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. (T/F)
False Risk appetite
Risk ____ is the application of controls to reduce the risks to an organizations data and information systems.
control
The concept of competitive ____ refers to falling behind the competition.
disadvantage
The first phase of risk management is ____.
risk identification
.____ addresses are sometimes called electronic serial numbers or hardware addresses.
MAC
. Many corporations use a ____ to help secure the confidentiality and integrity of information.
data classification scheme
A(n) ____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
FCO
The military uses a ____-level classification scheme.
five
In the U.S. military classification scheme, ____ data is any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
confidential
Management of classified data includes its storage and ____.
All of the above
There are individuals who search trash and recycling a practice known as ____ to retrieve information that could embarrass a company or compromise information security.
dumpster diving
In a(n) ____, each information asset is assigned a score for each of a set of assigned critical factor.
weighted factor analysis
____ equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty.
Risk
The ____ security policy is an executive-level document that outlines the organizations approach and attitude towards information security and relates the strategic value of information security within the organization.
general
The ____ security policy is a planning document that outlines the process of implementing security in the organization.
program
.____ policies address the particular use of certain systems.
Systems-specific
The ____ strategy attempts to prevent the exploitation of the vulnerability.
defend control
The ____ strategy attempts to shift risk to other assets, other processes, or other organizations.
transfer control
The actions an organization can and perhaps should take while an incident is in progress should be specified in a document called the ____ plan.
IR
.____ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede.
DR
The ____ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
accept control